b'\t\t\n\t\n\t\n\t\n\t\n        ASSESSMENT\tREPORT\t\n              13\xe2\x80\x9019\t\n                 \t\n\n\t\n                   \t\n                   \t\n     Federal\tPKI\tCompliance\tReport\t\n          September\t6,\t2013\t\n                   \t\n\t\n\t\n\t\n\n                   \t\n\t\n\t\n\t\n\t\n\x0cDate\t \t\nSeptember\t6,\t2013\t\nTo\t     \t\nChief\tInformation\tOfficer\t\nFrom\t\nInspector\tGeneral\t\nSubject\t\nAssessment\tReport\t\xe2\x80\x90\tFederal\tPKI\tCompliance\tReport\t\nReport\tNumber\t13\xe2\x80\x9019\t\n\t\nEnclosed\tplease\tfind\tthe\tsubject\tfinal\treport.\t\tThe\tOffice\tof\tthe\tInspector\tGeneral\t\nadministered\ta\tcontract\twith\tErnst\t&\tYoung\tLLP\t(E&Y)\tto\tprovide\ta\tcompliance\t\nreport\tof\tGPO\xe2\x80\x99s\tPublic\tKey\tInfrastructure\t(PKI)\tfor\tJuly\t1,\t2012\tthrough\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\nJune\t30,\t2013.\t\tE&Y\tconducted\ttheir\twork\tin\taccordance\twith\tattestation\tstandards\t\nestablished\tby\tthe\tAmerican\tInstitute\tof\tCertified\tPublic\tAccountants.\t\t\n\t\nE&Y\tconcluded\tthat\tGPO\xe2\x80\x99s\tassertion\tis\tfairly\tstated\tin\tall\tmaterial\trespects.\t\tE&Y\talso\t\nissued\ta\tLetter\tof\tSupplementary\tInformation,\tconcluding\tthat\tthe\tGPO\tPrincipal\t\nCertification\tAuthority\tCertificate\tPractices\tStatement\tconformed\tin\tall\tmaterial\t\nrespects\tto\tthe\tGPO\xe2\x80\x90Certificate\tAuthority\tand\tFederal\tPKI\tcommon\tpolicies.\t\tE&Y\tis\t\nresponsible\tfor\tthe\tattached\treport\tand\tthe\topinion\texpressed\ttherein.\t\t\t\n\t\n We\tappreciate\tthe\tcourtesies\textended\tto\tE&Y\tand\tto\tour\taudit\tstaff.\t If\tyou\thave\t\n any\tquestions\tor\tcomments\tabout\tthis\treport,\tplease\tdo\tnot\thesitate\tto\tcontact\t\t\t\t\t\n Mr.\tJeffrey\tC.\tWomack,\tAssistant\tInspector\tGeneral\tfor\tAudits\tand\tInspections\tat\t\n (202)\t512\xe2\x80\x902009\tor\tme\tat\t(202)\t512\xe2\x80\x900039.\t\n\n\n                                      \t\nMichael\tA.\tRaponi\t\t\nInspector\tGeneral\t\t\n\t\nEnclosure\t\t\ncc:\t\t\nPublic\tPrinter\t\nDeputy\tPublic\tPrinter\t\t\nGeneral\tCounsel\t\n\x0cU.S. Government\nPrinting Office\n\nReport of Independent Accountants\nFederal PKI Compliance Report\nFor the Period July 1, 2012 to June 30, 2013\n\x0c                                           Table of Contents\n\n\nReport of Independent Accountants ....................................................................... 1\nManagement Assertion ......................................................................................... 2\nLetter of Supplementary Information ..................................................................... 5\nSummary of Matters Relating to Project Personnel .................................................. 7\n\n\n\n\n1308-1122712\n\x0c                             EY LLP                   Tel: +1 703 747 1000\n                             8484 Westpark Drive      Fax: +1 703 747 0100\n                             McLean, Virginia 22102   ey.com\n\n\n\n\n                                     Report of Independent Accountants\n\nWe have examined the assertion, dated August 16, 2013, by the management of the United\nStates Government Printing Office (\xe2\x80\x9cGPO\xe2\x80\x9d), that GPO\xe2\x80\x99s Certification Authority (GPO-CA)\ncomplied with certain requirements of its Certificate Policy (CP), Version 1.3.1 dated\nAugust 17, 2009 and its Certificate Practices Statement (CPS) Version 1.7.2 dated February\n21, 2013 for the period July 1, 2012 to June 30, 2013, as well as the requirements of the\nFederal PKI Authority and all current cross-certification Memorandum of Agreements (MOAs)\nexecuted by the GPO with other entities.\n\nManagement of the GPO is responsible for its compliance with those requirements. Our\nresponsibility is to express an opinion on management\xe2\x80\x99s assertion about the GPO\xe2\x80\x99s\ncompliance based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the\nAmerican Institute of Certified Public Accountants and accordingly, included examining, on a\ntest basis, evidence about GPO-CA\xe2\x80\x99s compliance with those requirements and performing\nsuch other procedures as we considered necessary in the circumstances. We believe that our\nexamination provides a reasonable basis for our opinion. Our examination does not provide a\nlegal determination on GPO-CA\xe2\x80\x99s compliance with specific requirements.\n\nIn our opinion, for the period from July 1, 2012 through June 30, 2013, GPO management\xe2\x80\x99s\nassertion, as set forth in the first paragraph, is fairly stated, in all material respects.\n\nThis report is intended solely for the information and use of the GPO and the U.S. Federal PKI\nPolicy Authority and is not intended to be and should not be used by anyone other than those\nspecified parties.\n\n\n\n\nAugust 16, 2013\n\n\n\n\nA member firm of EY Global Limited                                                           1\n\x0c\x0c\x0c\x0c                             EY LLP                   Tel: +1 703 747 1000\n                             8484 Westpark Drive      Fax: +1 703 747 0100\n                             McLean, Virginia 22102   ey.com\n\n\n\n\n                                                                             August 16, 2013\n\n\n                                     Letter of Supplementary Information\n\nTo the Inspector General of the United States Government Printing Office and the\nManagement of the United States Government Printing Office Certification Authority\n(GPO CA):\n\nThis letter provides supplementary information to the examination performed by\nErnst & Young LLP of the assertion by the management of the GPO-CA regarding the\ncertification authority services it provides at http://www.gpo.gov/projects/pki.htm.\n\nManagement\xe2\x80\x99s assertions were based on the American Institute of Certified Public\nAccountants (AICPA)/Canadian Institute of Chartered Accountants WebTrust for Certification\nAuthorities criteria. GPO-CA\xe2\x80\x99s management was responsible for its assertion. Our\nresponsibility was to express an opinion on management\xe2\x80\x99s assertion based on our\nexamination.\n\nOur examination was conducted in accordance with attestation standards established by\nthe AICPA and, accordingly, included examining, on a test basis, evidence about GPO\xe2\x80\x99s\ncompliance with those requirements and performing such other procedures as we considered\nnecessary in the circumstances. We believe that our examination provides a reasonable basis\nfor our opinion. Our examination does not provide a legal determination on GPO-CA\xe2\x80\x99s\ncompliance with specified requirements.\n\nThe period for this examination was from July 1, 2012 through June 30, 2013. Our\nexamination was performed between February 14, 2013 and July 17, 2013.\n\nWe examined the Certificate Policy (CP) for the GPO-CA version 1.3.1, dated August 17,\n2009, and the Certification Practices Statement (CPS) for the GPO Principal Certification\nAuthority (GPO-PCA) version 1.7.2, dated February 21, 2013. Multiple Root CAs were not in\noperation at GPO-CA.\n\nOur examination included, through our testing of management\xe2\x80\x99s assertion, the evaluation of\nGPO-CA\xe2\x80\x99s operations for conformance to the requirements of its CPS and the evaluation of\nGPO-CA\xe2\x80\x99s operations for conformance to the requirements of all current cross-certification\nMemorandum of Agreements (MOAs) executed by the GPO-CA with other entities. In our\nReport of Independent Accountants dated August 16, 2013, we reported that management\xe2\x80\x99s\nassertion was fairly stated in all material respects.\n\n\n\n\nA member firm of EY Global Limited                                                             5\n\x0cWe have compared the CPS for the GPO-PCA version 1.7.2, dated February 21, 2013, for\nconformance to the CP for the GPO-CA version 1.3.1, dated August 17, 2009. We found, in all\nmaterial respects, that the GPO-PCA CPS is in conformance with GPO-CA CP.\n\nWe have compared the CPS for the GPO-PCA version 1.7.2, dated February 21, 2013 for\nconformance to the FPKI Common Policy. For this analysis we utilized the Framework\nCertification Practice Statement Evaluation Mapping Matrix, Version 2.8 (September 22,\n2010). We found, in all material respects, that the GPO-PCA CPS is in conformance with the\nrequirements of the FPKI Common Policy.\n\nWe are independent of the GPO for the professional engagement period as required by the\nAICPA Professional Standards.\n\n\n\n\nA member firm of EY Global Limited                                                           6\n\x0c                             EY LLP                   Tel: +1 703 747 1000\n                             8484 Westpark Drive      Fax: +1 703 747 0100\n                             McLean, Virginia 22102   ey.com\n\n\n\n\n                                                                               August 16, 2013\n\n                                     Summary of matters related to project personnel\n                                           provided by Ernst & Young LLP\n\nTo the Inspector General of the United States Government Printing Office and the\nManagement of the United States Government Printing Office Certification Authority\n(GPO-CA):\n\nThe GPO Office of Inspector General (OIG) has asked Ernst & Young LLP (EY or we) to provide\ncertain information to assist in its efforts to provide the Federal Public Key Infrastructure\nPolicy Authority (FPKIPA) with information about the individuals who performed work as part\nof the WebTrust for Certification Authority (WTCA) examination services; these services are\nperformed in accordance with relevant American Institute of Certified Public Accountants\n(AICPA) standards. The FPKIPA sets policy governing operation of the U.S. Federal PKI\nInfrastructure, composed of: the Federal Bridge Certification Authority (FBCA); the Federal\nCommon Policy Framework Certification Authority (CPFCA); the Citizen and Commerce Class\nCommon Certification Authority (C4CA) and the E-Governance Certification Authority. EY\nmakes no representation regarding the sufficiency of this information for the purposes for\nwhich this information was requested. That responsibility rests solely with the FPKIPA.\n\nEducational level and professional experience\n\nClient serving personnel (Professionals) EY has provided to the Agency have received a degree\nfrom an accredited college or university (or its equivalent if the individual was educated\noutside of the United States). Certain individuals may also have advanced degrees. The\nmajority of Professionals provided to the Agency are part of EY\xe2\x80\x99s Advisory Services (AS)\nservice line. Recruiting efforts for the AS practice focuses on candidates with information\ntechnology, accounting, finance and other business-related degrees. Hiring activities and\ntypes of Professionals hired into each EY service line, including Assurance and Tax, are\ngenerally the same as similar service lines and personnel of Deloitte, PwC and KPMG (who\nalong with EY, are the Big Four).\n\nThe experience levels of Professionals provided will vary based upon various factors including\nage and length of time the individual has worked since receiving their degree. The amount of\nprofessional experience of Professionals may not solely be related to a person\xe2\x80\x99s employment\nperiod with EY, as EY normally hires a combination of experienced Professionals and\nProfessionals who recently graduated from a college or university. In most cases, the\nexperience level within a rank classification of EY Professionals is generally the same as the\nother Big Four.\n\n\n\n\nA member firm of EY Global Limited                                                               7\n\x0cMethodologies, policies and procedures\n\nEY Professionals carrying out WTCA examinations are required to comply with policies and\nprocedures within the EY Global Advisory Q&RM Guide (\xe2\x80\x9cthe Guide\xe2\x80\x9d) and related\nmethodologies. In those cases where we do not perform work directly under the supervision\nand responsibility of Agency personnel as part of an engagement to provide loan staff, and we\nprovide management with our findings and recommendations in those areas where we observe\ninternal controls that, in our view, could be improved, the Guide requires the work and any\nreports or deliverables to be in accordance with the Statement on Standards for Consulting\nServices (CS100) of the AICPA. The initial adoption of, and any subsequent changes in,\npolicies and procedures have been reviewed and approved by EY\xe2\x80\x99s Professional Practice group.\n\nProfessional certification and continuing education\n\nEY encourages its Professionals to obtain a professional certification. In certain service lines,\nobtaining a professional certification is a requirement for promotion. Individuals in AS are\nrequired to obtain a professional certification to be promoted to Manager. In the AS service\nline, the most common certifications are Certified Public Accountant (CPA) (or its equivalent in\nother countries), Certified Internal Auditor (CIA) as recognized by the Institute of Internal\nAuditors, Certified Information Systems Auditor (CISA) as recognized by ISACA, or Certified\nManagement Accountant (CMA) as recognized by the Institute of Management Accountants.\n\nThe continuing professional education requirements of the SEC (Securities and Exchange\nCommission) Practice Section of the AICPA Division for CPA firms are the foundation of EY\xe2\x80\x99s\nprofessional development policy. Participation in professional development programs is\nmeasured in units of continuing professional education (CPE) credit hours earned in our\neducational year. EY\xe2\x80\x99s educational year is July 1 through June 30. The EY policy for\ncompliance is as follows:\n\n\xe2\x80\x93 Commencing with the first full educational year of employment, each professional must\n  obtain at least 20 CPE credit hours each year and at least 120 CPE credit hours during the\n  most recent three-year period.\n\n\xe2\x80\x93 Professionals who were not employed during the entire most recent educational year are\n  not required to earn continuing professional education credits in that year.\n\n\xe2\x80\x93 Professionals who were employed during the entire most recent educational year, but not\n  during the entire most recent two educational years, are required to have participated in at\n  least 20 hours of qualifying continuing professional education during the most recent\n  educational year.\n\n\xe2\x80\x93 Professionals who were employed during the entire most recent two educational years, but\n  not during the entire most recent three educational years, are required to have participated\n  in at least 20 hours of qualifying continuing professional education during each of the two\n  most recent educational years.\n\n\n\n\nA member firm of EY Global Limited                                                             8\n\x0cProfessionals who hold a professional designation or certification other than the CPA\ncertification (e.g., CIA, attorney at law, CISA, CMA) may be subject to continuing education\nrequirements as part of that designation or certification. Completion of courses to meet these\nrequirements may be used to meet the firm\xe2\x80\x99s CPE requirements as long as the courses also\nmeet the requirements of the AICPA\xe2\x80\x99s SEC Practice Section.\n\nExperience Auditing PKI Systems\n\nThe EY executive team assigned to the GPO project has experience in performing audits and\nimplementation of PKI systems and IT security. In addition, certain team members also have\nparticipated in a number of other commercial PKI and WebTrust for CA examinations both as a\nteam member and as a quality reviewer. We have incorporated consultations with other EY\npersonnel who represent the firm on the AICPA WebTrust Task Force. EY\xe2\x80\x99s client roster for PKI\nprojects for governmental agencies other than the GPO includes other US federal agencies as\nwell as foreign governmental monetary organizations.\n\nWe are available if you need any additional information or would like to further discuss this\nmemorandum.\n\n\n\n\nA member firm of EY Global Limited                                                              9\n\x0cSummary information for EY executives assigned to the engagement\n                                                                         In compliance with\n                                                             Years of       EY CPE policy\nName                        Rank        Certifications      experience        (Yes/No)\n                                        CA (Switzerland),\nWerner Lippuner      Principal                                     24           Yes\n                                        CISA, CISM\nJames Merrill        Executive Director CPA, CISA                  31           Yes\n                                        CISSP, CPA, CISA,\nBruce Hamilton       Senior Manager                                32           Yes\n                                        CISM\nStaci Angel          Senior Manager     CISA                       9            Yes\n\n\n\n\n                                                                                      10\n\x0c'